cvelistv5 - CVE-2018-2879

CVE-2018-2879 (GCVE-0-2018-2879)

Vulnerability from cvelistv5 – Published: 2018-04-19 02:00 – Updated: 2024-10-03 20:08

Summary

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Severity ?

No CVSS data available.

CWE

Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.

Assigner

oracle

References

URL

Tags

	http://www.securitytracker.com/id/1040695	vdb-entryx_refsource_SECTRACK
	https://www.sec-consult.com/en/blog/2018/05/oracl…	x_refsource_MISC
	http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
	https://github.com/MostafaSoliman/Oracle-OAM-Padd…	x_refsource_MISC
	http://www.securityfocus.com/bid/103788	vdb-entryx_refsource_BID
	https://seclists.org/bugtraq/2019/Apr/27	mailing-listx_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/152551/OAMbu…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2019/Apr/28	mailing-listx_refsource_FULLDISC

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Access Manager	Affected: 11.1.2.3.0 Affected: 12.2.1.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T04:36:38.640Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1040695",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040695"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
          },
          {
            "name": "103788",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/103788"
          },
          {
            "name": "20190417 CVE-2018-2879 - anniversary",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Apr/27"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
          },
          {
            "name": "20190418 CVE-2018-2879 - anniversary",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2018-2879",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T19:21:06.497485Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-03T20:08:16.990Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Access Manager",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "11.1.2.3.0"
            },
            {
              "status": "affected",
              "version": "12.2.1.3.0"
            }
          ]
        }
      ],
      "datePublic": "2018-03-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-19T07:06:04",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "1040695",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040695"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
        },
        {
          "name": "103788",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/103788"
        },
        {
          "name": "20190417 CVE-2018-2879 - anniversary",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Apr/27"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
        },
        {
          "name": "20190418 CVE-2018-2879 - anniversary",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2018-2879",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Access Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "11.1.2.3.0"
                          },
                          {
                            "version_affected": "=",
                            "version_value": "12.2.1.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Oracle Corporation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Successful attacks of this vulnerability can result in takeover of Oracle Access Manager."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1040695",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040695"
            },
            {
              "name": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/",
              "refsource": "MISC",
              "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "name": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit",
              "refsource": "MISC",
              "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
            },
            {
              "name": "103788",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/103788"
            },
            {
              "name": "20190417 CVE-2018-2879 - anniversary",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Apr/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
            },
            {
              "name": "20190418 CVE-2018-2879 - anniversary",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2018-2879",
    "datePublished": "2018-04-19T02:00:00",
    "dateReserved": "2017-12-15T00:00:00",
    "dateUpdated": "2024-10-03T20:08:16.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8DEAFEDC-2D0F-4A5F-99A0-BD41DD6DC017\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A287FA5D-D7D9-40B4-8DB2-1D7CE1808408\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\\\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad en el componente Oracle Access Manager de Oracle Fusion Middleware (subcomponente: Authentication Engine). Las versiones compatibles que se han visto afectadas son la 11.1.2.3.0 y la 12.2.1.3.0. Una vulnerabilidad dif\\u00edcilmente explotable permite que un atacante sin autenticar que tenga acceso a red por HTTP comprometa la seguridad de Oracle Access Manager. Aunque la vulnerabilidad est\\u00e1 presente en Oracle Access Manager, los ataques podr\\u00edan afectar seriamente a productos adicionales. Los ataques exitosos a esta vulnerabilidad pueden resultar en la toma de control de Oracle Access Manager. Nota: V\\u00e9ase Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=showtype=NOTid=2386496.1\\\" rel=\\\"nofollow\\\"\u003eMy Oracle Support Note 2386496.1 para leer instrucciones sobre c\\u00f3mo abordar este problema. CVSS 3.0 Base Score 9.0 (impactos en la confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\u003c/a\u003e\"}]",
      "id": "CVE-2018-2879",
      "lastModified": "2024-11-21T04:04:40.597",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-04-19T02:29:07.803",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Apr/28\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/103788\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1040695\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Product\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Apr/27\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Apr/28\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/103788\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1040695\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Apr/27\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "secalert_us@oracle.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-2879\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2018-04-19T02:29:07.803\",\"lastModified\":\"2024-11-21T04:04:40.597\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\\\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad en el componente Oracle Access Manager de Oracle Fusion Middleware (subcomponente: Authentication Engine). Las versiones compatibles que se han visto afectadas son la 11.1.2.3.0 y la 12.2.1.3.0. Una vulnerabilidad dif\u00edcilmente explotable permite que un atacante sin autenticar que tenga acceso a red por HTTP comprometa la seguridad de Oracle Access Manager. Aunque la vulnerabilidad est\u00e1 presente en Oracle Access Manager, los ataques podr\u00edan afectar seriamente a productos adicionales. Los ataques exitosos a esta vulnerabilidad pueden resultar en la toma de control de Oracle Access Manager. Nota: V\u00e9ase Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=showtype=NOTid=2386496.1\\\" rel=\\\"nofollow\\\"\u003eMy Oracle Support Note 2386496.1 para leer instrucciones sobre c\u00f3mo abordar este problema. CVSS 3.0 Base Score 9.0 (impactos en la confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\u003c/a\u003e\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DEAFEDC-2D0F-4A5F-99A0-BD41DD6DC017\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A287FA5D-D7D9-40B4-8DB2-1D7CE1808408\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Apr/28\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/103788\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1040695\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/27\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Apr/28\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/103788\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1040695\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/27\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"Access Manager\", \"vendor\": \"Oracle Corporation\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.1.2.3.0\"}, {\"status\": \"affected\", \"version\": \"12.2.1.3.0\"}]}], \"datePublic\": \"2018-03-27T00:00:00\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\\\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\"}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.\", \"lang\": \"en\", \"type\": \"text\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2019-04-19T07:06:04\", \"orgId\": \"43595867-4340-4103-b7a2-9a5208d29a85\", \"shortName\": \"oracle\"}, \"references\": [{\"name\": \"1040695\", \"tags\": [\"vdb-entry\", \"x_refsource_SECTRACK\"], \"url\": \"http://www.securitytracker.com/id/1040695\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\"}, {\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\"}, {\"name\": \"103788\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"], \"url\": \"http://www.securityfocus.com/bid/103788\"}, {\"name\": \"20190417 CVE-2018-2879 - anniversary\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\"], \"url\": \"https://seclists.org/bugtraq/2019/Apr/27\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\"}, {\"name\": \"20190418 CVE-2018-2879 - anniversary\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\"], \"url\": \"http://seclists.org/fulldisclosure/2019/Apr/28\"}], \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"secalert_us@oracle.com\", \"ID\": \"CVE-2018-2879\", \"STATE\": \"PUBLIC\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"Access Manager\", \"version\": {\"version_data\": [{\"version_affected\": \"=\", \"version_value\": \"11.1.2.3.0\"}, {\"version_affected\": \"=\", \"version_value\": \"12.2.1.3.0\"}]}}]}, \"vendor_name\": \"Oracle Corporation\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\\\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\\\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Successful attacks of this vulnerability can result in takeover of Oracle Access Manager.\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"1040695\", \"refsource\": \"SECTRACK\", \"url\": \"http://www.securitytracker.com/id/1040695\"}, {\"name\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\", \"refsource\": \"MISC\", \"url\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\"}, {\"name\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"refsource\": \"CONFIRM\", \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"}, {\"name\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\", \"refsource\": \"MISC\", \"url\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\"}, {\"name\": \"103788\", \"refsource\": \"BID\", \"url\": \"http://www.securityfocus.com/bid/103788\"}, {\"name\": \"20190417 CVE-2018-2879 - anniversary\", \"refsource\": \"BUGTRAQ\", \"url\": \"https://seclists.org/bugtraq/2019/Apr/27\"}, {\"name\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\", \"refsource\": \"MISC\", \"url\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\"}, {\"name\": \"20190418 CVE-2018-2879 - anniversary\", \"refsource\": \"FULLDISC\", \"url\": \"http://seclists.org/fulldisclosure/2019/Apr/28\"}]}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T04:36:38.640Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"1040695\", \"tags\": [\"vdb-entry\", \"x_refsource_SECTRACK\", \"x_transferred\"], \"url\": \"http://www.securitytracker.com/id/1040695\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/\"}, {\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit\"}, {\"name\": \"103788\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"], \"url\": \"http://www.securityfocus.com/bid/103788\"}, {\"name\": \"20190417 CVE-2018-2879 - anniversary\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\", \"x_transferred\"], \"url\": \"https://seclists.org/bugtraq/2019/Apr/27\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html\"}, {\"name\": \"20190418 CVE-2018-2879 - anniversary\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\", \"x_transferred\"], \"url\": \"http://seclists.org/fulldisclosure/2019/Apr/28\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2018-2879\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-03T19:21:06.497485Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-03T19:21:29.532Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"43595867-4340-4103-b7a2-9a5208d29a85\", \"assignerShortName\": \"oracle\", \"cveId\": \"CVE-2018-2879\", \"datePublished\": \"2018-04-19T02:00:00\", \"dateReserved\": \"2017-12-15T00:00:00\", \"dateUpdated\": \"2024-10-03T20:08:16.990Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2018-2879

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-2879

Aliases

CVE-2018-2879

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-2879",
    "description": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).",
    "id": "GSD-2018-2879",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2018-2879"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-2879"
      ],
      "details": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).",
      "id": "GSD-2018-2879",
      "modified": "2023-12-13T01:22:32.132987Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert_us@oracle.com",
        "ID": "CVE-2018-2879",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Access Manager",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "11.1.2.3.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "12.2.1.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Oracle Corporation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.  While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Successful attacks of this vulnerability can result in takeover of Oracle Access Manager."
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1040695",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1040695"
          },
          {
            "name": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/",
            "refsource": "MISC",
            "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
          },
          {
            "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
          },
          {
            "name": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit",
            "refsource": "MISC",
            "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
          },
          {
            "name": "103788",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/103788"
          },
          {
            "name": "20190417 CVE-2018-2879 - anniversary",
            "refsource": "BUGTRAQ",
            "url": "https://seclists.org/bugtraq/2019/Apr/27"
          },
          {
            "name": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
          },
          {
            "name": "20190418 CVE-2018-2879 - anniversary",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2018-2879"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
            },
            {
              "name": "1040695",
              "refsource": "SECTRACK",
              "tags": [
                "VDB Entry",
                "Third Party Advisory"
              ],
              "url": "http://www.securitytracker.com/id/1040695"
            },
            {
              "name": "103788",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/103788"
            },
            {
              "name": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
            },
            {
              "name": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
            },
            {
              "name": "20190417 CVE-2018-2879 - anniversary",
              "refsource": "BUGTRAQ",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://seclists.org/bugtraq/2019/Apr/27"
            },
            {
              "name": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
            },
            {
              "name": "20190418 CVE-2018-2879 - anniversary",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2018-04-19T02:29Z"
    }
  }
}

FKIE_CVE-2018-2879

Vulnerability from fkie_nvd - Published: 2018-04-19 02:29 - Updated: 2024-11-21 04:04

Severity ?

9.0 (Critical) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
secalert_us@oracle.com	http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html	Third Party Advisory, VDB Entry
secalert_us@oracle.com	http://seclists.org/fulldisclosure/2019/Apr/28	Mailing List, Third Party Advisory
secalert_us@oracle.com	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch, Vendor Advisory
secalert_us@oracle.com	http://www.securityfocus.com/bid/103788	Third Party Advisory, VDB Entry
secalert_us@oracle.com	http://www.securitytracker.com/id/1040695	Third Party Advisory, VDB Entry
secalert_us@oracle.com	https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit	Product, Third Party Advisory
secalert_us@oracle.com	https://seclists.org/bugtraq/2019/Apr/27	Mailing List, Third Party Advisory
secalert_us@oracle.com	https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/Apr/28	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/103788	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1040695	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/bugtraq/2019/Apr/27	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	oracle	access_manager	11.1.2.3.0
	oracle	access_manager	12.2.1.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DEAFEDC-2D0F-4A5F-99A0-BD41DD6DC017",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A287FA5D-D7D9-40B4-8DB2-1D7CE1808408",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad en el componente Oracle Access Manager de Oracle Fusion Middleware (subcomponente: Authentication Engine). Las versiones compatibles que se han visto afectadas son la 11.1.2.3.0 y la 12.2.1.3.0. Una vulnerabilidad dif\u00edcilmente explotable permite que un atacante sin autenticar que tenga acceso a red por HTTP comprometa la seguridad de Oracle Access Manager. Aunque la vulnerabilidad est\u00e1 presente en Oracle Access Manager, los ataques podr\u00edan afectar seriamente a productos adicionales. Los ataques exitosos a esta vulnerabilidad pueden resultar en la toma de control de Oracle Access Manager. Nota: V\u00e9ase Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=showtype=NOTid=2386496.1\" rel=\"nofollow\"\u003eMy Oracle Support Note 2386496.1 para leer instrucciones sobre c\u00f3mo abordar este problema. CVSS 3.0 Base Score 9.0 (impactos en la confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).\u003c/a\u003e"
    }
  ],
  "id": "CVE-2018-2879",
  "lastModified": "2024-11-21T04:04:40.597",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-04-19T02:29:07.803",
  "references": [
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103788"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1040695"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Apr/27"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/103788"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1040695"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Apr/27"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/"
    }
  ],
  "sourceIdentifier": "secalert_us@oracle.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2018-09095

Vulnerability from cnvd - Published: 2018-05-08

Title

Oracle Access Manager远程漏洞（CNVD-2018-09095）

Description

Oracle Access Manager是适用于集中身份管理和访问控制的最新解决方案。 Oracle Access Manager组件存在远程安全漏洞，未经身份验证的远程攻击者可利用此漏洞影响完整性、机密性、可用性。

Severity

中

Patch Name

Oracle Access Manager远程漏洞（CNVD-2018-09095）的补丁

Patch Description

Oracle Access Manager是适用于集中身份管理和访问控制的最新解决方案。 Oracle Access Manager组件存在远程安全漏洞，未经身份验证的远程攻击者可利用此漏洞影响完整性、机密性、可用性。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-2879

Impacted products

Name
['Oracle Access Manager 11.1.2.3.0', 'Oracle Access Manager 12.2.1.3.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "103788"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-2879",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2879"
    }
  },
  "description": "Oracle Access Manager\u662f\u9002\u7528\u4e8e\u96c6\u4e2d\u8eab\u4efd\u7ba1\u7406\u548c\u8bbf\u95ee\u63a7\u5236\u7684\u6700\u65b0\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nOracle Access Manager\u7ec4\u4ef6\u5b58\u5728\u8fdc\u7a0b\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5f71\u54cd\u5b8c\u6574\u6027\u3001\u673a\u5bc6\u6027\u3001\u53ef\u7528\u6027\u3002",
  "discovererName": "Wolfgang Ettlinger of SEC Consult Vulnerability Lab",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-09095",
  "openTime": "2018-05-08",
  "patchDescription": "Oracle Access Manager\u662f\u9002\u7528\u4e8e\u96c6\u4e2d\u8eab\u4efd\u7ba1\u7406\u548c\u8bbf\u95ee\u63a7\u5236\u7684\u6700\u65b0\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nOracle Access Manager\u7ec4\u4ef6\u5b58\u5728\u8fdc\u7a0b\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5f71\u54cd\u5b8c\u6574\u6027\u3001\u673a\u5bc6\u6027\u3001\u53ef\u7528\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Access Manager\u8fdc\u7a0b\u6f0f\u6d1e\uff08CNVD-2018-09095\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle Access Manager 11.1.2.3.0",
      "Oracle Access Manager 12.2.1.3.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-2879",
  "serverity": "\u4e2d",
  "submitTime": "2018-04-23",
  "title": "Oracle Access Manager\u8fdc\u7a0b\u6f0f\u6d1e\uff08CNVD-2018-09095\uff09"
}

GHSA-5XGP-RMW9-5CFW

Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51

Details

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Severity ?

9.0 (Critical)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-2879"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-19T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID \u003ca href=\"http://support.oracle.com/CSP/main/article?cmd=show\u0026type=NOT\u0026id=2386496.1\"\u003eMy Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).",
  "id": "GHSA-5xgp-rmw9-5cfw",
  "modified": "2022-05-13T01:51:42Z",
  "published": "2022-05-13T01:51:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Apr/27"
    },
    {
      "type": "WEB",
      "url": "https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152551/OAMbuster-Multi-Threaded-CVE-2018-2879-Scanner.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Apr/28"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103788"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040695"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-2879 (GCVE-0-2018-2879)

GSD-2018-2879

FKIE_CVE-2018-2879

CNVD-2018-09095

GHSA-5XGP-RMW9-5CFW

Tags

Sightings

Nomenclature